/mandos/release : revision 237.7.325

To get this branch, use:

bzr branch
http://bzr.recompile.se/loggerhead/mandos/release

« back to all changes in this revision

Viewing changes to plugin-runner.c

Committer: Teddy Hogeborn
Date: 2015-07-20 03:03:33 UTC
mto: (237.7.594 trunk)
mto: This revision was merged to the branch mainline in revision 325.
Revision ID: teddy@recompile.se-20150720030333-203m2aeblypcsfte

Bug fix for GnuTLS 3: be compatible with old 2048-bit DSA keys.

The mandos-keygen program in Mandos version 1.6.0 and older generated
2048-bit DSA keys, and when GnuTLS uses these it has trouble
connecting using the Mandos default priority string.  This was
previously fixed in Mandos 1.6.2, but the bug reappeared when using
GnuTLS 3, so the default priority string has to change again; this
time also the Mandos client has to change its default, so now the
server and the client should use the same default priority string:

SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA:+SIGN-DSA-SHA256

* mandos (main/server_defaults): Changed default priority string.
* mandos-options.xml (/section/para[id="priority_compat"]): Removed.
  (/section/para[id="priority"]): Changed default priority string.
* mandos.conf ([DEFAULT]/priority): - '' -
* mandos.conf.xml (OPTIONS/priority): Refer to the id "priority"
                                      instead of "priority_compat".
* mandos.xml (OPTIONS/--priority): - '' -
* plugins.d/mandos-client.c (main): Changed default priority string.

files added:
plugin-helpers

plugin-helpers/mandos-client-iprouteadddel.c

files modified:
DBUS-API

INSTALL

Makefile

NEWS

TODO

common.ent

debian/changelog

debian/control

debian/mandos-client.README.Debian

debian/mandos-client.postinst

debian/mandos-client.postrm

debian/mandos.prerm

initramfs-tools-hook

intro.xml

mandos

mandos-clients.conf.xml

mandos-ctl

mandos-keygen

mandos-keygen.xml

mandos-monitor

mandos-monitor.xml

mandos-options.xml

mandos.conf

mandos.conf.xml

mandos.lsm

mandos.service

mandos.xml

plugin-runner.c

plugin-runner.xml

plugins.d/askpass-fifo.c

plugins.d/mandos-client.c

plugins.d/mandos-client.xml

plugins.d/usplash.c

Show diffs side-by-side

added added

removed removed

plugin-runner.c

#define BUFFER_SIZE 256

#define PDIR "/lib/mandos/plugins.d"

#define PHDIR "/lib/mandos/plugin-helpers"

#define AFILE "/conf/conf.d/mandos/plugin-runner.conf"

const char *argp_program_version = "plugin-runner " VERSION;

347

348

349

int main(int argc, char *argv[]){

349

350

char *plugindir = NULL;

351

char *pluginhelperdir = NULL;

350

352

char *argfile = NULL;

351

353

FILE *conffp;

352

struct dirent **direntries;

354

struct dirent **direntries = NULL;

353

355

struct stat st;

354

356

fd_set rfds_all;

355

357

int ret, maxfd = 0;

414

416

.doc = "Group ID the plugins will run as", .group = 3 },

415

417

{ .name = "debug", .key = 132,

416

418

.doc = "Debug mode", .group = 4 },

419

{ .name = "plugin-helper-dir", .key = 133,

420

.arg = "DIRECTORY",

421

.doc = "Specify a different plugin helper directory",

422

.group = 2 },

417

423

418

424

* These reproduce what we would get without ARGP_NO_HELP

419

425

545

551

case 132: /* --debug */

546

552

debug = true;

547

553

break;

554

case 133: /* --plugin-helper-dir */

555

free(pluginhelperdir);

556

pluginhelperdir = strdup(arg);

557

if(pluginhelperdir != NULL){

558

errno = 0;

559

}

560

break;

548

561

549

562

* These reproduce what we would get without ARGP_NO_HELP

550

563

601

614

case 130: /* --userid */

602

615

case 131: /* --groupid */

603

616

case 132: /* --debug */

617

case 133: /* --plugin-helper-dir */

604

618

case '?': /* --help */

605

619

case -3: /* --usage */

606

620

case 'V': /* --version */

761

775

goto fallback;

762

776

}

763

777

778

{

779

char *pluginhelperenv;

780

bool bret = true;

781

ret = asprintf(&pluginhelperenv, "MANDOSPLUGINHELPERDIR=%s",

782

pluginhelperdir != NULL ? pluginhelperdir : PHDIR);

783

if(ret != -1){

784

bret = add_environment(getplugin(NULL), pluginhelperenv, true);

785

}

786

if(ret == -1 or not bret){

787

error(0, errno, "Failed to set MANDOSPLUGINHELPERDIR"

788

" environment variable to \"%s\" for all plugins\n",

789

pluginhelperdir != NULL ? pluginhelperdir : PHDIR);

790

}

791

if(ret != -1){

792

free(pluginhelperenv);

793

}

794

}

795

764

796

if(debug){

765

797

for(plugin *p = plugin_list; p != NULL; p=p->next){

766

798

fprintf(stderr, "Plugin: %s has %d arguments\n",

795

827

}

796

828

}

797

829

}

798

TEMP_FAILURE_RETRY(close(plugindir_fd));

830

close(plugindir_fd);

799

831

}

800

832

}

801

833

829

861

ret = set_cloexec_flag(dir_fd);

830

862

if(ret < 0){

831

863

error(0, errno, "set_cloexec_flag");

832

TEMP_FAILURE_RETRY(close(dir_fd));

833

864

exitstatus = EX_OSERR;

834

865

goto fallback;

835

866

}

875

906

#endif /* not __GLIBC__ */

876

907

if(numplugins == -1){

877

908

error(0, errno, "Could not scan plugin dir");

878

TEMP_FAILURE_RETRY(close(dir_fd));

909

direntries = NULL;

879

910

exitstatus = EX_OSERR;

880

911

goto fallback;

881

912

}

888

919

int plugin_fd = openat(dir_fd, direntries[i]->d_name, O_RDONLY);

889

920

if(plugin_fd == -1){

890

921

error(0, errno, "Could not open plugin");

922

free(direntries[i]);

891

923

continue;

892

924

}

893

925

ret = (int)TEMP_FAILURE_RETRY(fstat(plugin_fd, &st));

894

926

if(ret == -1){

895

927

error(0, errno, "stat");

896

TEMP_FAILURE_RETRY(close(plugin_fd));

928

close(plugin_fd);

929

free(direntries[i]);

897

930

continue;

898

931

}

899

932

907

940

plugindir != NULL ? plugindir : PDIR,

908

941

direntries[i]->d_name);

909

942

}

910

TEMP_FAILURE_RETRY(close(plugin_fd));

943

close(plugin_fd);

944

free(direntries[i]);

911

945

continue;

912

946

}

913

947

914

948

plugin *p = getplugin(direntries[i]->d_name);

915

949

if(p == NULL){

916

950

error(0, errno, "getplugin");

917

TEMP_FAILURE_RETRY(close(plugin_fd));

951

close(plugin_fd);

952

free(direntries[i]);

918

953

continue;

919

954

}

920

955

if(p->disabled){

922

957

fprintf(stderr, "Ignoring disabled plugin \"%s\"\n",

923

958

direntries[i]->d_name);

924

959

}

925

TEMP_FAILURE_RETRY(close(plugin_fd));

960

close(plugin_fd);

961

free(direntries[i]);

926

962

continue;

927

963

}

928

964

{

961

997

if(ret == -1){

962

998

error(0, errno, "pipe");

963

999

exitstatus = EX_OSERR;

1000

free(direntries[i]);

964

1001

goto fallback;

965

1002

}

966

1003

if(pipefd[0] >= FD_SETSIZE){

967

1004

fprintf(stderr, "pipe()[0] (%d) >= FD_SETSIZE (%d)", pipefd[0],

968

1005

FD_SETSIZE);

969

TEMP_FAILURE_RETRY(close(pipefd[0]));

970

TEMP_FAILURE_RETRY(close(pipefd[1]));

1006

close(pipefd[0]);

1007

close(pipefd[1]);

971

1008

exitstatus = EX_OSERR;

1009

free(direntries[i]);

972

1010

goto fallback;

973

1011

}

974

1012

#ifndef O_CLOEXEC

976

1014

ret = set_cloexec_flag(pipefd[0]);

977

1015

if(ret < 0){

978

1016

error(0, errno, "set_cloexec_flag");

979

TEMP_FAILURE_RETRY(close(pipefd[0]));

980

TEMP_FAILURE_RETRY(close(pipefd[1]));

1017

close(pipefd[0]);

1018

close(pipefd[1]);

981

1019

exitstatus = EX_OSERR;

1020

free(direntries[i]);

982

1021

goto fallback;

983

1022

}

984

1023

ret = set_cloexec_flag(pipefd[1]);

985

1024

if(ret < 0){

986

1025

error(0, errno, "set_cloexec_flag");

987

TEMP_FAILURE_RETRY(close(pipefd[0]));

988

TEMP_FAILURE_RETRY(close(pipefd[1]));

1026

close(pipefd[0]);

1027

close(pipefd[1]);

989

1028

exitstatus = EX_OSERR;

1029

free(direntries[i]);

990

1030

goto fallback;

991

1031

}

992

1032

#endif /* not O_CLOEXEC */

997

1037

if(ret < 0){

998

1038

error(0, errno, "sigprocmask");

999

1039

exitstatus = EX_OSERR;

1040

free(direntries[i]);

1000

1041

goto fallback;

1001

1042

}

1002

1043

/* Starting a new process to be watched */

1008

1049

error(0, errno, "fork");

1009

1050

TEMP_FAILURE_RETRY(sigprocmask(SIG_UNBLOCK,

1010

1051

&sigchld_action.sa_mask, NULL));

1011

TEMP_FAILURE_RETRY(close(pipefd[0]));

1012

TEMP_FAILURE_RETRY(close(pipefd[1]));

1052

close(pipefd[0]);

1053

close(pipefd[1]);

1013

1054

exitstatus = EX_OSERR;

1055

free(direntries[i]);

1014

1056

goto fallback;

1015

1057

}

1016

1058

if(pid == 0){

1042

1084

/* no return */

1043

1085

}

1044

1086

/* Parent process */

1045

TEMP_FAILURE_RETRY(close(pipefd[1])); /* Close unused write end of

1046

pipe */

1047

TEMP_FAILURE_RETRY(close(plugin_fd));

1087

close(pipefd[1]); /* Close unused write end of pipe */

1088

close(plugin_fd);

1048

1089

plugin *new_plugin = getplugin(direntries[i]->d_name);

1049

1090

if(new_plugin == NULL){

1050

1091

error(0, errno, "getplugin");

1055

1096

error(0, errno, "sigprocmask");

1056

1097

}

1057

1098

exitstatus = EX_OSERR;

1099

free(direntries[i]);

1058

1100

goto fallback;

1059

1101

}

1102

free(direntries[i]);

1060

1103

1061

1104

new_plugin->pid = pid;

1062

1105

new_plugin->fd = pipefd[0];

1092

1135

}

1093

1136

}

1094

1137

1095

TEMP_FAILURE_RETRY(close(dir_fd));

1138

free(direntries);

1139

direntries = NULL;

1140

close(dir_fd);

1141

dir_fd = -1;

1096

1142

free_plugin(getplugin(NULL));

1097

1143

1098

1144

for(plugin *p = plugin_list; p != NULL; p = p->next){

1292

1338

free(custom_argv);

1293

1339

}

1294

1340

1341

free(direntries);

1342

1295

1343

if(dir_fd != -1){

1296

TEMP_FAILURE_RETRY(close(dir_fd));

1344

close(dir_fd);

1297

1345

}

1298

1346

1299

1347

/* Kill the processes */

1319

1367

free_plugin_list();

1320

1368

1321

1369

free(plugindir);

1370

free(pluginhelperdir);

1322

1371

free(argfile);

1323

1372

1324

1373

return exitstatus;

Older »